Date: Thu, 28 Mar 2024 14:26:17 +0000 (GMT) Message-ID: <350248683.1618.1711635977908@a2be6a7a0dbc> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_1617_1413180276.1711635977907" ------=_Part_1617_1413180276.1711635977907 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
This is an example of a standard entity category based attribute filter = for SWAMID 2.0 in a Shibboleth IdP which fulfils SWAMID's Entity Category attr= ibute release in SWAMID
The latest published SWAMID example standar= d filter for Shibboleth Identity Provider 4 is published at https://mds.swamid.se/entity-configurations/Shibb= oleth-IdP/v4/attribute-filter.xml. Below is the latest version included= from the publication repository.
<?xml version=3D"1.0" encoding=3D"UTF-8"?> <AttributeFilterPolicyGroup id=3D"ShibbolethFilterPolicy" xmlns=3D"urn:mace:shibboleth:2.0:afp" xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocat= ion=3D"urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibbol= eth-afp.xsd"> <!-- REFEDS Anonymous Authorization Entity Category --> <AttributeFilterPolicy id=3D"releaseToRefedsAnonymous"> <PolicyRequirementRule xsi:type=3D"EntityAttributeExactMatch" at= tributeName=3D"http://macedir.org/entity-category" attributeValue=3D"https:= //refeds.org/category/anonymous" /> <AttributeRule attributeID=3D"eduPersonScopedAffiliation"> <PermitValueRule xsi:type=3D"ANY"/> </AttributeRule> <AttributeRule attributeID=3D"schacHomeOrganization"> <PermitValueRule xsi:type=3D"ANY"/> </AttributeRule> </AttributeFilterPolicy> <!-- REFEDS Pseudonymous Authorization Entity Category --> <!-- Supports data minimalisation to prevent use together with anony= mous --> <AttributeFilterPolicy id=3D"releaseToRefedsPseudonymous"> <PolicyRequirementRule xsi:type=3D"AND"> <Rule xsi:type=3D"EntityAttributeExactMatch" attributeName= =3D"http://macedir.org/entity-category" attributeValue=3D"https://refeds.or= g/category/pseudonymous" /> <Rule xsi:type=3D"NOT"> <Rule xsi:type=3D"EntityAttributeExactMatch" attributeNa= me=3D"http://macedir.org/entity-category" attributeValue=3D"https://refeds.= org/category/anonymous" /> </Rule> </PolicyRequirementRule> <AttributeRule attributeID=3D"samlPairwiseID"> <PermitValueRule xsi:type=3D"ANY"/> </AttributeRule> <AttributeRule attributeID=3D"eduPersonScopedAffiliation"> <PermitValueRule xsi:type=3D"ANY"/> </AttributeRule> <AttributeRule attributeID=3D"schacHomeOrganization"> <PermitValueRule xsi:type=3D"ANY"/> </AttributeRule> <AttributeRule attributeID=3D"eduPersonAssurance"> <PermitValueRule xsi:type=3D"ANY" /> </AttributeRule> </AttributeFilterPolicy> <!-- REFEDS Personalized Access Entity Category --> <!-- Supports data minimalisation to prevent use together with anony= mous and pseudonymous--> <AttributeFilterPolicy id=3D"releaseToRefedsPersonalized"> <PolicyRequirementRule xsi:type=3D"AND"> <Rule xsi:type=3D"EntityAttributeExactMatch" attributeName= =3D"http://macedir.org/entity-category" attributeValue=3D"https://refeds.or= g/category/personalized" /> <Rule xsi:type=3D"NOT"> <Rule xsi:type=3D"OR"> <Rule xsi:type=3D"EntityAttributeExactMatch" attribu= teName=3D"http://macedir.org/entity-category" attributeValue=3D"https://ref= eds.org/category/anonymous" /> <Rule xsi:type=3D"EntityAttributeExactMatch" attribu= teName=3D"http://macedir.org/entity-category" attributeValue=3D"https://ref= eds.org/category/pseudonymous" /> </Rule> </Rule> </PolicyRequirementRule> <AttributeRule attributeID=3D"samlSubjectID"> <PermitValueRule xsi:type=3D"ANY" /> </AttributeRule> <AttributeRule attributeID=3D"displayName"> <PermitValueRule xsi:type=3D"ANY" /> </AttributeRule> <AttributeRule attributeID=3D"givenName"> <PermitValueRule xsi:type=3D"ANY" /> </AttributeRule> <AttributeRule attributeID=3D"sn"> <PermitValueRule xsi:type=3D"ANY" /> </AttributeRule> <AttributeRule attributeID=3D"mail"> <PermitValueRule xsi:type=3D"ANY" /> </AttributeRule> <AttributeRule attributeID=3D"eduPersonAssurance"> <PermitValueRule xsi:type=3D"ANY" /> </AttributeRule> <AttributeRule attributeID=3D"schacHomeOrganization"> <PermitValueRule xsi:type=3D"ANY" /> </AttributeRule> <AttributeRule attributeID=3D"eduPersonScopedAffiliation"> <PermitValueRule xsi:type=3D"OR"> <Rule xsi:type=3D"Value" value=3D"faculty" caseSensitive= =3D"false" /> <Rule xsi:type=3D"Value" value=3D"student" caseSensitive= =3D"false"/> <Rule xsi:type=3D"Value" value=3D"staff" caseSensitive= =3D"false"/> <Rule xsi:type=3D"Value" value=3D"alum" caseSensitive=3D= "false"/> <Rule xsi:type=3D"Value" value=3D"member" caseSensitive= =3D"false"/> <Rule xsi:type=3D"Value" value=3D"affiliate" caseSensiti= ve=3D"false"/> <Rule xsi:type=3D"Value" value=3D"employee" caseSensitiv= e=3D"false"/> <Rule xsi:type=3D"Value" value=3D"library-walk-in" caseS= ensitive=3D"false"/> </PermitValueRule> </AttributeRule> </AttributeFilterPolicy> <!-- Rule to honour Subject ID requirement tag in metadata. Used in = combination with Geant/Refeds Code of Conduct v* --> <!-- Code of Conduct can be combined with other entity categories --= > <!-- Supports data minimalisation to prevent subject-id and pairwise= -id being released together --> <AttributeFilterPolicy id=3D"subject-identifiers"> <PolicyRequirementRule xsi:type=3D"OR"> <Rule xsi:type=3D"EntityAttributeExactMatch" attributeName= =3D"http://macedir.org/entity-category" attributeValue=3D"http://www.geant.= net/uri/dataprotection-code-of-conduct/v1" /> <Rule xsi:type=3D"EntityAttributeExactMatch" attributeName= =3D"http://macedir.org/entity-category" attributeValue=3D"https://refeds.or= g/category/code-of-conduct/v2" /> </PolicyRequirementRule> <AttributeRule attributeID=3D"samlPairwiseID"> <PermitValueRule xsi:type=3D"AND"> <Rule xsi:type=3D"NOT"> <Rule xsi:type=3D"EntityAttributeExactMatch" attribu= teName=3D"http://macedir.org/entity-category" attributeValue=3D"https://ref= eds.org/category/personalized" /> </Rule> <Rule xsi:type=3D"OR"> <Rule xsi:type=3D"EntityAttributeExactMatch" attribu= teName=3D"urn:oasis:names:tc:SAML:profiles:subject-id:req" attributeNameFor= mat=3D"urn:oasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue=3D"p= airwise-id" /> <Rule xsi:type=3D"EntityAttributeExactMatch" attribu= teName=3D"urn:oasis:names:tc:SAML:profiles:subject-id:req" attributeNameFor= mat=3D"urn:oasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue=3D"a= ny" /> </Rule> </PermitValueRule> </AttributeRule> <AttributeRule attributeID=3D"samlSubjectID"> <PermitValueRule xsi:type=3D"AND"> <Rule xsi:type=3D"NOT"> <Rule xsi:type=3D"EntityAttributeExactMatch" attribu= teName=3D"http://macedir.org/entity-category" attributeValue=3D"https://ref= eds.org/category/pseudonymous" /> </Rule> <Rule xsi:type=3D"EntityAttributeExactMatch" attributeNa= me=3D"urn:oasis:names:tc:SAML:profiles:subject-id:req" attributeNameFormat= =3D"urn:oasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue=3D"subj= ect-id" /> </PermitValueRule> </AttributeRule> </AttributeFilterPolicy> <!-- GEANT Data protection Code of Conduct or REFEDS Data Protection= Code of Conduct Entity Category --> <AttributeFilterPolicy id=3D"releaseToCodeOfConduct"> <PolicyRequirementRule xsi:type=3D"OR"> <Rule xsi:type=3D"EntityAttributeExactMatch" attributeName= =3D"http://macedir.org/entity-category" attributeValue=3D"http://www.geant.= net/uri/dataprotection-code-of-conduct/v1" /> <Rule xsi:type=3D"EntityAttributeExactMatch" attributeName= =3D"http://macedir.org/entity-category" attributeValue=3D"https://refeds.or= g/category/code-of-conduct/v2" /> </PolicyRequirementRule> <AttributeRule attributeID=3D"eduPersonTargetedID"> <PermitValueRule xsi:type=3D"AttributeInMetadata" onlyIfRequ= ired=3D"true" /> </AttributeRule> <AttributeRule attributeID=3D"eduPersonPrincipalName"> <PermitValueRule xsi:type=3D"AttributeInMetadata" onlyIfRequ= ired=3D"true" /> </AttributeRule> <AttributeRule attributeID=3D"eduPersonOrcid"> <PermitValueRule xsi:type=3D"AttributeInMetadata" onlyIfRequ= ired=3D"true" /> </AttributeRule> <AttributeRule attributeID=3D"norEduPersonNIN"> <PermitValueRule xsi:type=3D"AND"> <Rule xsi:type=3D"AttributeInMetadata" onlyIfRequired=3D= "true" /> <Rule xsi:type=3D"RegistrationAuthority" registrars=3D"h= ttp://www.swamid.se/" /> </PermitValueRule> </AttributeRule> <AttributeRule attributeID=3D"personalIdentityNumber"> <PermitValueRule xsi:type=3D"AND"> <Rule xsi:type=3D"AttributeInMetadata" onlyIfRequired=3D= "true" /> <Rule xsi:type=3D"RegistrationAuthority" registrars=3D"h= ttp://www.swamid.se/" /> </PermitValueRule> </AttributeRule> <AttributeRule attributeID=3D"schacDateOfBirth"> <PermitValueRule xsi:type=3D"AttributeInMetadata" onlyIfRequ= ired=3D"true" /> </AttributeRule> <AttributeRule attributeID=3D"mail"> <PermitValueRule xsi:type=3D"AttributeInMetadata" onlyIfRequ= ired=3D"true" /> </AttributeRule> <AttributeRule attributeID=3D"mailLocalAddress"> <PermitValueRule xsi:type=3D"AttributeInMetadata" onlyIfRequ= ired=3D"true" /> </AttributeRule> <AttributeRule attributeID=3D"cn"> <PermitValueRule xsi:type=3D"AttributeInMetadata" onlyIfRequ= ired=3D"true" /> </AttributeRule> <AttributeRule attributeID=3D"displayName"> <PermitValueRule xsi:type=3D"AttributeInMetadata" onlyIfRequ= ired=3D"true" /> </AttributeRule> <AttributeRule attributeID=3D"givenName"> <PermitValueRule xsi:type=3D"AttributeInMetadata" onlyIfRequ= ired=3D"true" /> </AttributeRule> <AttributeRule attributeID=3D"sn"> <PermitValueRule xsi:type=3D"AttributeInMetadata" onlyIfRequ= ired=3D"true" /> </AttributeRule> <AttributeRule attributeID=3D"eduPersonAssurance"> <PermitValueRule xsi:type=3D"AttributeInMetadata" onlyIfRequ= ired=3D"true" /> </AttributeRule> <AttributeRule attributeID=3D"eduPersonScopedAffiliation"> <PermitValueRule xsi:type=3D"AND"> <Rule xsi:type=3D"AttributeInMetadata" onlyIfRequired=3D= "true" /> <Rule xsi:type=3D"OR"> <Rule xsi:type=3D"Value" value=3D"faculty" caseSensi= tive=3D"false" /> <Rule xsi:type=3D"Value" value=3D"student" caseSensi= tive=3D"false" /> <Rule xsi:type=3D"Value" value=3D"staff" caseSensiti= ve=3D"false" /> <Rule xsi:type=3D"Value" value=3D"alum" caseSensitiv= e=3D"false" /> <Rule xsi:type=3D"Value" value=3D"member" caseSensit= ive=3D"false" /> <Rule xsi:type=3D"Value" value=3D"affiliate" caseSen= sitive=3D"false" /> <Rule xsi:type=3D"Value" value=3D"employee" caseSens= itive=3D"false" /> <Rule xsi:type=3D"Value" value=3D"library-walk-in" c= aseSensitive=3D"false" /> </Rule> </PermitValueRule> </AttributeRule> <AttributeRule attributeID=3D"eduPersonAffiliation"> <PermitValueRule xsi:type=3D"AttributeInMetadata" onlyIfRequ= ired=3D"true" /> </AttributeRule> <AttributeRule attributeID=3D"o"> <PermitValueRule xsi:type=3D"AttributeInMetadata" onlyIfRequ= ired=3D"true" /> </AttributeRule> <AttributeRule attributeID=3D"norEduOrgAcronym"> <PermitValueRule xsi:type=3D"AttributeInMetadata" onlyIfRequ= ired=3D"true" /> </AttributeRule> <AttributeRule attributeID=3D"c"> <PermitValueRule xsi:type=3D"AttributeInMetadata" onlyIfRequ= ired=3D"true" /> </AttributeRule> <AttributeRule attributeID=3D"co"> <PermitValueRule xsi:type=3D"AttributeInMetadata" onlyIfRequ= ired=3D"true" /> </AttributeRule> <AttributeRule attributeID=3D"schacHomeOrganization"> <PermitValueRule xsi:type=3D"AttributeInMetadata" onlyIfRequ= ired=3D"true" /> </AttributeRule> <AttributeRule attributeID=3D"schacHomeOrganizationType"> <PermitValueRule xsi:type=3D"AttributeInMetadata" onlyIfRequ= ired=3D"true" /> </AttributeRule> </AttributeFilterPolicy> <!-- REFEDS Research and Scholarship Entity Category --> <AttributeFilterPolicy id=3D"releaseToRefedsResearchAndScholarship"&= gt; <PolicyRequirementRule xsi:type=3D"EntityAttributeExactMatch" at= tributeName=3D"http://macedir.org/entity-category" attributeValue=3D"http:/= /refeds.org/category/research-and-scholarship" /> <AttributeRule attributeID=3D"eduPersonTargetedID"> <PermitValueRule xsi:type=3D"NOT"> <Rule xsi:type=3D"Value" value=3D"https://refeds.org/ass= urance/ID/eppn-unique-no-reassign" attributeID=3D"eduPersonAssurance" /> </PermitValueRule> </AttributeRule> <AttributeRule attributeID=3D"displayName"> <PermitValueRule xsi:type=3D"ANY" /> </AttributeRule> <AttributeRule attributeID=3D"givenName"> <PermitValueRule xsi:type=3D"ANY" /> </AttributeRule> <AttributeRule attributeID=3D"sn"> <PermitValueRule xsi:type=3D"ANY" /> </AttributeRule> <AttributeRule attributeID=3D"mail"> <PermitValueRule xsi:type=3D"ANY" /> </AttributeRule> <AttributeRule attributeID=3D"eduPersonAssurance"> <PermitValueRule xsi:type=3D"ANY" /> </AttributeRule> <AttributeRule attributeID=3D"eduPersonPrincipalName"> <PermitValueRule xsi:type=3D"ANY" /> </AttributeRule> <AttributeRule attributeID=3D"eduPersonScopedAffiliation"> <PermitValueRule xsi:type=3D"OR"> <Rule xsi:type=3D"Value" value=3D"faculty" caseSensitive= =3D"false" /> <Rule xsi:type=3D"Value" value=3D"student" caseSensitive= =3D"false" /> <Rule xsi:type=3D"Value" value=3D"staff" caseSensitive= =3D"false" /> <Rule xsi:type=3D"Value" value=3D"alum" caseSensitive=3D= "false" /> <Rule xsi:type=3D"Value" value=3D"member" caseSensitive= =3D"false" /> <Rule xsi:type=3D"Value" value=3D"affiliate" caseSensiti= ve=3D"false" /> <Rule xsi:type=3D"Value" value=3D"employee" caseSensitiv= e=3D"false" /> <Rule xsi:type=3D"Value" value=3D"library-walk-in" caseS= ensitive=3D"false" /> </PermitValueRule> </AttributeRule> </AttributeFilterPolicy> <!-- ESI European Student Identifier --> <AttributeFilterPolicy id=3D"entity-category-european-student-identi= fier"> <PolicyRequirementRule xsi:type=3D"EntityAttributeExactMatch" at= tributeName=3D"http://macedir.org/entity-category" attributeValue=3D"https:= //myacademicid.org/entity-categories/esi" /> <AttributeRule attributeID=3D"schacPersonalUniqueCode"> <PermitValueRule xsi:type=3D"ValueRegex" regex=3D"^urn:schac= :personalUniqueCode:int:esi:.*" /> </AttributeRule> </AttributeFilterPolicy> <!-- Sectigo --> <AttributeFilterPolicy id=3D"releaseSectigoAttributeBundle"> <PolicyRequirementRule xsi:type=3D"Requester" value=3D"https://c= ert-manager.com/shibboleth" /> <AttributeRule attributeID=3D"eduPersonPrincipalName"> <PermitValueRule xsi:type=3D"ANY"/> </AttributeRule> <AttributeRule attributeID=3D"displayName"> <PermitValueRule xsi:type=3D"ANY" /> </AttributeRule> <AttributeRule attributeID=3D"givenName"> <PermitValueRule xsi:type=3D"ANY" /> </AttributeRule> <AttributeRule attributeID=3D"mail"> <PermitValueRule xsi:type=3D"ANY" /> </AttributeRule> <AttributeRule attributeID=3D"sn"> <PermitValueRule xsi:type=3D"ANY"/> </AttributeRule> <AttributeRule attributeID=3D"schacHomeOrganization"> <PermitValueRule xsi:type=3D"ANY"/> </AttributeRule> <AttributeRule attributeID=3D"tcsPersonalEntitlement"> <PermitValueRule xsi:type=3D"ANY"/> </AttributeRule> </AttributeFilterPolicy> <!-- PLACEHOLDER DO NOT REMOVE --> </AttributeFilterPolicyGroup>